VoIP vulnerabilities tackled by research company

VoIP vulnerabilities can present a serious security threat, but one company makes its living by doing research and alerting manufacturers, vendors and users to potential problems.

Share this item with your network:

Kate Dostart, Associate Editor

Security threats to voice over IP (VoIP) are one of the major factors that deter numerous IT departments from implementing a VoIP system. But in the fight against denial of service (DoS) attacks, buffer overflow attacks, and hackers there are companies that are prepared to find those hidden vulnerabilities.

For one such company, the fight has been going on for nearly three and a half years. In a recent announcement, Sipera VIPER Lab disclosed seven new threat advisories for SIP-based softphones and Web-based instant messaging services, specifically those from AOL, Avaya, MSN and Nortel. An additional four advisories were released for Avaya's SIP-based hard phones.

In 2003, Sipera Systems Inc. was created, along with affiliated research firm Sipera VIPER Lab, to find and document the vulnerabilities that threaten the successful use of VoIP at the enterprise level. By focusing its efforts strictly on voice over IP and IP-based communications, Sipera says it is better prepared to inform both manufacturers and users of VoIP phones and softphones of vulnerabilities that could interfere with their use of the equipment and applications.

"VIPER Lab looks only at VoIP and unified communications," said Brendan Ziolo, marketing director. "By proactively seeking out vulnerabilities, we are protecting VoIP systems against attacks before they can even happen."

The alerts raised by VIPER Lab state that these VoIP softphones could be vulnerable to such issues as resource exhaustion, buffer overflow, DoS attacks, and SIP parsing errors. In issuing these alerts, VIPER Lab contacts the manufacturers first, informing them of potential vulnerabilities in their hardware and software.

Once the manufacturers have had time to be alerted to the vulnerabilities, customers of Sipera are informed of any issues that could give rise to potential problems in their systems that included these products.

In the latest alerts, VIPER found a number of vulnerabilities that were specific to softphones.

"Softphones provide great flexibility for communications but are very vulnerable to attacks. These not only pose threats to the VoIP system but also to the computing and network environments," said Krishna Kurapati, Sipera founder/CTO and head of Sipera VIPER Lab. "Left unaddressed, these vulnerabilities can disrupt critical business and personal voice communications, negating the many advantages to VoIP. Sipera works with its customers and vendors to address these threats before they become a major issue."

The advisories for hard phones were specifically for Avaya's 4602SW SIP phones, which have been found to be vulnerable to server impersonation, accepting SIP requests from random source IP addresses, open UDP port flooding, and RTP port flooding. These vulnerabilities can expose the phones to call hijacking, malicious messaging, denial of service, and voice quality degradation.

VIPER said that it also included in its alerts to vendors and their research reports best practices that could help alleviate the severity of the discovered vulnerabilities. VIPER feels that by alerting vendors, manufacturers and users to these vulnerabilities, existing VoIP systems can be better protected from hackers than if vendors or manufacturers alone were made aware of the vulnerabilities.

"It's important to understand that VoIP is now an application on the Internet and has its own security needs," Ziolo stressed when asked why these alerts are so important. "Enterprises should also realize that it is challenging and requires lots of time and work to have a secure VoIP network -- but it's not impossible."

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.